How can I restrict the use of operations in Azure API Management (APIM) per user or group

我是研究僧i 提交于 2021-01-04 06:30:44

问题


I'll be so gratefull if you can help me with the following question: I´m resticting the access to use an API in APIM using groups, but I want to restrict even its operations for example: I have an API in APIM with the following operations:

  • OperationA
  • OperationB
  • OperationC

And the following groups of users:

  • Group1
  • Group2
  • Group3

so the idea is to give access to the groups according some business rules for instance:

  • Group1 (OperationA, OperationB)
  • Group2 (OperationA)
  • Group2 (OperationA,OperationB,OperationC).

Is there a way to implement this behavior? Thank you so much


回答1:


Only possible via policy expressions. Use choose policy and check which groups current user is a member of (context.User.Groups) and if you don't see one you need - use return-response to stop request processing.




回答2:


In the operations inbound policy you could add something like this:

<choose>
    <when condition="@(context.User.Groups.Contains(g => g.name == "Group1"))">
         <return-response>
              <set-status code="403" reason="Unauthorized" />
              <set-body>Users in group Group1 do not have access to this method. </set-body>
         </return-response>
    </when>
</choose>

These are the pieces of documentation I referenced to come up with this result:

  • How to set up a conditional policy: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#choose
  • How to access the Group Name from the policy: https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables
  • How to return the response: https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#ReturnResponse

This would make it so any user who belongs to Group1 would receive a response of "Users in group Group1 do not have access to this method." anytime they made a request to this API operation. If you add this to the inbound policy for the API the users in Group1 would be blocked from making calls to any operation in the API.



来源:https://stackoverflow.com/questions/52173211/how-can-i-restrict-the-use-of-operations-in-azure-api-management-apim-per-user

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!